AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI kernel/CLI with user-invoked networking, local mesh/MCP controls, provider API calls, and verification command execution aligned with its stated functionality.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs infinicode CLI commands such as run, serve, mcp, mission, or install-tui.
Impact
No unconsented install-time/import-time execution, credential exfiltration, persistence, or destructive behavior confirmed.
Mechanism
package-aligned AI agent CLI and local mesh control surface
Rationale
Static inspection found dangerous primitives, but they are exposed as explicit AI-agent, mesh, MCP, TUI installation, and verification features rather than hidden lifecycle/import-time behavior. No concrete malicious persistence, harvesting, exfiltration, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/infinicode.jsdist/cli.jsdist/commands/run.jsdist/commands/install-tui.jsdist/kernel/mcp/mcp-server.jsdist/kernel/federation/transport-http.jsdist/kernel/federation/federation.jsdist/kernel/verification-exec.js.opencode/plugins/mesh-commands.tsx
Network endpoints11
127.0.0.1:47913/fed/manifest127.0.0.1:47913/fed/command/fed/rpc/fed/stream/api/tagsapi.groq.com/openaiopenrouter.ai/api/v1models.inference.ai.azure.comintegrate.api.nvidia.com/v1router.huggingface.co/v1generativelanguage.googleapis.com/v1beta
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/kernel/verification-exec.js can spawn user/workspace verification commands when missions produce code.
- dist/kernel/mcp/mcp-server.js exposes user-invoked MCP tools for dispatch, slash commands, roles, and goals.
- dist/commands/install-tui.js can download or copy a TUI binary only when the install-tui command is run.
Evidence against
- package.json has no install/postinstall/prepare hook; prepublishOnly only runs npm run build for publishing.
- bin/infinicode.js only imports dist/cli.js; default run path is CLI/TUI launch, not hidden import-time payload.
- dist/commands/run.js network calls are aligned with configured Ollama, mesh localhost, and enabled AI providers.
- .opencode/plugins/mesh-commands.tsx posts slash commands to local INFINICODE_MESH_URL/127.0.0.1 only.
- No credential harvesting or exfiltration logic found; API keys are used as provider auth from user config.
- Remote command/task surfaces require explicit serve/mcp/run usage and optional bearer tokens, matching package purpose.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/commands/run.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = infinicode@2.3.3
matchedIdentity = npm:aW5maW5pY29kZQ:2.3.3
similarity = 0.963
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/commands/run.jsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/run.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings